US cops have arrested 14 people over an elaborate scam where $1m was stolen from casino kiosks in a scam the FBI has described as ‘Gone in 60 Seconds’ bank fraud.
The suspects allegedly stole $1m by exploiting a gap in Citibank’s electronic transaction security protocols in casino "cash advance" kiosks - which required multiple …

COMMENTS

So smart and yet so stupid.

"....The stolen funds were often used to gamble, leading many casinos to supply the alleged conspirators with free rooms due to their extensive gambling activity, the FBI said......" So, someone in the gang was smart enough to figure out the loophole, but stupid enough to include a load of gamblaholics in the crew? They were just asking for jail-time. A smarter person would have chosen mules from outside the area, brought them in to do the deed and then got them out of the city before they went on a spending spree. A foolish man and his money are soon parted, but a foolish crim and his liberty are sooner.

Re: So smart and yet so stupid.

Maybe.... maybe not. The gambling of the money may well have been an attempt to launder it, especially if they gambling it particularly smartly (covering 98% of outcomes on a roulette table for example). I used to work in the gambling industry and you'd be amazed how many people try to push a lot of banknotes through betting firms to clean it up.

Re: So smart and yet so stupid.

Re: So smart and yet so stupid.

It's been done - same with Fixed Odds Betting Terminals in betting shops. Feed the machine with £5k of banknotes then print a withdrawal receipt, take it to the counter and collect some nice new banknotes. Betting shop managers have actually got very good at spotting this, and the bookmakers themselves have a legal duty to look for it and report it under the Gambling Act 2006.

Re: So smart and yet so stupid.

Almost definately.

ATMs are often loaded with new, sequentially numbered, bills. In such cases the number range of the bills dispensed would be known and any subsequent attempt to use large numbers of them would be spotted immediately.

Withdrawing them in a casino and immediately chasing them for chips is quite a cunning method of ensuring that there's no chance of the ranges being alerted before the ill gotten gains are someone else's problem.

What the hell is that? Would I be going to club fed if I withdrew USD 9000 twice in a row (even though I know nothing about any "reporting requirements" and haven't signed anything about any "reporting requirements" that I can remember)? Even though several three-letter agencies-cum-gestapo-outfits have the records anyway? What kind of downtrodden people accepts this sh*t without storming Venerable Places Of High Discourse with sharpened showels and lead pipes?

It depends on if they think you did it deliberately. That would be the structuring part. The banks have a requirement to report transactions totalling over $10 000, even if you do them separately, but if you're smart enough to do it in a non-obvious way so that they don't notice then your dumb enough to go to jail.

It gets worse because it's one of those fuzzy rules. You could deposit $5000.01 one day and withdraw $5000 on the next day and it could easily hinge on whether the bank felt the transactions were suspicious. I ran into this little problem when buying a car as I moved $6k from one bank to another, got a bank check from the second bank 3 days later for $7.5k and got a quick lesson in gubbermint reporting BS from the teller.

On the upside, if you can call it that, I hear we're not alone as Italy seems to have banned cash transactions over €5000.

Race conditions?

Re: Race conditions?

No, it's just that the whole process is asynchronous.

The machine itself can authorise up to X, so if it cannot get a connection to the bank, it'll still dispense up to that (I used to exploit that one in my student days, find one that cannot give a balance and hit it). Above X, it has to check the balance online. Once the cash is dispensed, a message goes back to update the balance, a process that takes a while (a long while in the case of an offline auth).

Thus given a balance of 1000 quid and twenty people with cloned cards going "3.....2......1......GO" at seperate machines, you can get 20,000 quid. All the machines check the balance online and OK it, the problem only comes to light when the subsequent balance updates take the account 19,000 into the red.

You have to remember that the mechanisms behind these things were designed for the days of dialup connections and packet switched networks, so realtime interaction and locking wasn't on the cards.

Re: Race conditions?

With a credit card, aleast in the UK, a facility exists to reserve a sum of money without actually charging it. (I'm not sure what this is actually called.) For instance, a hotel might do this instead of actually charging a deposit against future room charges, or damage. It counts towards you card expenditure limit, though, so it can get in the way of using your card for other things. And sometimes you have a problem with it.

Implementing a similar feature with these cash machines - you want to draw say $200, so the machine checks your balance, reserves $200, then proceeds to give you money, and finally advises the bank that the transaction has been completed.

Re: Race conditions?

The funny thing is that I have seen this before, in the Netherlands - and that was a good 20 years ago (actually, I think it may even have ben before the change to Euro, so it's not exactly a new idea).

A TV program about banking security asked senior execs if their bank could be hacked. All but one said "impossible", the one exception was one guy who said "there's no such thing as perfect security, but I think we have done our best".

They were then all shown (on camera) a briefacse full of cash taken from a single account, thus reducing each to a blubbering, protesting heap of lard, again with that one exception who cheerily said "hey, this is new. Let me know how you did this". It happened to be the bank I used (phew)

Let me give you this timeless quote from alt.sysadmin.recovery:

I work for an investment bank. I have dealt with code written by stock exchanges. I have seen how the computer systems that store your money are run. If I ever make a fortune, I will store it in gold bullion under my bed. - Matthew Crosby

Re: Race conditions?

The concept you're talking about exists everywhere (AFAIK), and it's called "pre-authorization". It's specifically used in CCs for the reason you've mentioned: open vouchers at hotels, and car rentals will do it as well.

Re: Transactions

The problem is that the time it takes for the ATM to send the message to the back end, the back end to process the full transaction, and send a response to the ATM is longer than the targeted time to complete the transaction the ATM designers have been told to hit. It's not like there is one big server in the middle of the desert somewhere handling all the bank accounts of the world - your ATM may not be talking to the computer that actually tracks your account.

So the simplistic "lock the account" approach won't work in today's "I HAD TO WAIT A WHOLE MINUTE FOR MY MONEY THIS BANK SUCKS" mindset.

Re: Transactions

My bank was "Banco Real", at the time. But, basically, any bank in Brazil will do.

Whenever a do a withdraw (above a given value) the bank sends me an SMS, telling the amount of the transaction. Usually I get the SMS BEFORE the ATM gives me the money.

The SMS can't have been sent by the ATM - too much trouble to implement this one by one. I don't think there is just one SMS-sending server - but the system is fast enough to track this in real time.

Trust me, the brazilian bank system is quite agile - something we got from the hyperinflation from the 80's. There was a time where we faced an inflation of over 30% each MONTH. It was madness, I tell you. The one good thing was the bank system we got: heavily automatized and quite fast.

Um how do you set up a throw away account???

In all the countries I've ever had banks in (Aus, UK, Sweden and Germany) you have to provide a McTruckload of data to open a bank account! If you dont have at least 3 forms of ID with addresses, etc. then forget it tiger - no bank account for you!

So how on Earth can you set up a "throwaway" account that you can rip off? Are US laws really that lax?

Re: Um how do you set up a throw away account??? Easily...

The indictment letter will probably include conspiracy with gangs and card cloners, along with contacts inside the DMV. Fake DLs probably are still obtained from DMV employees gone rogue. If not them, then maybe someone has access to a passport employee. If not those, then the bank has lousy ID verification and probably has dirty employees in on such scams.

Pretty soon, we may all have to submit biometrics to open, maintain, and transfer funds between our own accounts.

Re: Um how do you set up a throw away account???

ID in the US is to a far, far lower standard than it is in most of the rest of the world. Remember most americans don't even have passports, and driving licenses are doled out to 14 year olds at the state level, leaving very very few reliable methods of verifying someone's identity.

Bank loses money in Vegas?

Ok, somehow I don't see this being something I consider to be a bad thing. I've had no love for gambling organizations ever since I've had to stand behind 10 gamblers in line at a convenience store on Saturday with a crying baby to buy him milk. Damn near every one of those people bought 100 tickets or more.

Citibank placed machines in those casinos knowing damn well their purpose was to support the gambling industry. Screw them.